IDS mailing list archives
Re: Full Packet Capture - User Requirements
From: Dr Bit Bucket <drbitbucket () comcast net>
Date: Wed, 21 Jul 2004 21:00:32 -0600
Hi Andy,Immediate user requirements generally don't factor into the picture. Intrusion Detection and Incident Response definitely do. You might be able to use the data to draw some conclusions about trends and active services, though, and present them to users or management.
Simply using tcpdump, you have to rotate the processes every hour (tcpdump barfs if it runs for too long).
Here's the two types of data captures you want: Full content: tcpdump -s 1524... Headers: tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0 ...Full content may be too much for all ports in most environments. You may have to be very selective about the kinds of ports where you get your most bang for your bit.
You use the headers to narrow down what you want to look for in detail in the full content. In addition, it is very useful to determine the scope of an attack or compromise using the headers: what other machines did this hostile hit, how long did they log in for, I see this backdoor in use from hostile A and hey, looks like a new hostile B is also using it too.
Retention of the headers should be a year or so, since the data compresses well. Full content depends upon your network, but I've found that if you haven't caught an incident within 60 days, you probably won't catch it at all. But then again, I've looked at incidents were I was searching the header data set as far back as 8 months.
Keeping files in pcap format should be sufficient, since you can just use tcpdump or ethereal/tethereal to analyze the data.
Jon Repaci, GCIA, CISSP At 1:15 PM +0100 7/16/04, Andy Cuff wrote:
Hi, I was wondering whether anyone had explored the creation of The User Requirements for a Full Packet Capture Capability. Looking at things such as Duration of Retention separating both headers and Data Bandwidth issues surrounding remote collation Streams Unique Selling Points etc etc I will tackle presentation through a protocol analyser separately, though it is relevant in how the raw packet capture is stored. Solutions will be tackled on a separate subject heading in order to differentiate between the 2 cheers in advance -andy Talisker Security Tools Directory http://www.securitywizardry.com
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Full Packet Capture - User Requirements Andy Cuff (Jul 20)
- Re: Full Packet Capture - User Requirements Dr Bit Bucket (Jul 22)